Amazon S3 Flashcards
What is Amazon S3?
Amazon S3 is an infinitely scalable object storage service used by websites and AWS services.
What are common use cases for Amazon S3?
Backup, Disaster Recovery, Archive, Hybrid Cloud, Application/Media Hosting, Data lakes, Static websites.
What is an S3 bucket?
A globally unique container for objects; region-specific.
What are naming rules for S3 buckets?
3-63 chars, lowercase only, no underscores, not an IP, no xn– prefix or -s3alias suffix.
What is an S3 object?
File stored in a bucket, has a key (full path), content, metadata, tags, version ID.
What is the max size of an S3 object?
5TB; >5GB requires multi-part upload.
What are S3 object metadata and tags?
Metadata: text key/value pairs; Tags: up to 10 unicode key/value pairs.
What are user-based and resource-based S3 access controls?
User-based: IAM Policies; Resource-based: Bucket policies, Object ACLs.
What is a bucket policy in S3?
JSON policy to allow/deny access, enforce encryption, or grant cross-account access.
What is the purpose of Block Public Access settings?
To prevent data leaks; should remain on unless public access is intentional.
Can S3 host websites?
Yes, for static sites; accessible via special S3 website endpoint.
What does a 403 error on S3 website mean?
Likely missing bucket policy for public read access.
What is S3 versioning?
Keeps multiple versions of objects; enabled per bucket.
What is the default version for pre-versioned files?
Null.
What does suspending versioning do?
Stops new versions but retains existing ones.
What is S3 replication?
Replicates objects from source to destination bucket across or within regions.
What are requirements for S3 replication?
Enable versioning on both buckets and provide IAM permissions.
Can S3 replicate existing objects?
Not by default; use S3 Batch Replication.
Can S3 replicate deletes?
Yes for delete markers; versioned deletions are not replicated.
What is S3 replication chaining?
Not supported; replication does not cascade.
What are S3 storage classes?
Standard, Standard-IA, One Zone-IA, Glacier IR/FR/DA, Intelligent Tiering.
What is S3 durability?
11 nines (99.999999999%) across multiple AZs.
What is S3 availability?
Varies by class; e.g., Standard: 99.99%.
When should you use S3 Standard?
Frequently accessed data with high availability needs.
What is Standard-IA used for?
Less frequently accessed data like DR backups.
What is One Zone-IA?
Infrequent access data in a single AZ; cheaper but less available.
What is Amazon S3 Glacier?
Low-cost archive storage with delayed retrieval.
What is S3 Glacier Instant Retrieval?
Access in milliseconds; for quarterly access data.
What are S3 Glacier Flexible Retrieval modes?
Expedited (1–5 min), Standard (3–5 hrs), Bulk (5–12 hrs).
What is S3 Glacier Deep Archive?
For long-term storage; retrieval in 12–48 hours.
What is S3 Intelligent Tiering?
Auto-moves objects between tiers based on access patterns.
What tiers does Intelligent Tiering include?
Frequent, Infrequent, Archive Instant, Archive, Deep Archive.
What is used to move objects between S3 storage classes?
Lifecycle Rules.
What can Lifecycle Transition Actions do?
Move objects to another storage class after a set time.
What can Lifecycle Expiration Actions do?
Expire (delete) objects or incomplete uploads after a set time.
Can Lifecycle Rules target specific prefixes or tags?
Yes.
What storage class for thumbnails that can be deleted after 60 days?
S3 One-Zone IA with expiration rule.
Where should source images go that need to be retrieved quickly for 60 days?
S3 Standard with transition to Glacier after 60 days.
How to retain deleted S3 objects for 30 days, then archive?
Use S3 Versioning, transition noncurrent versions to IA then Glacier Deep Archive.
What does S3 Analytics help with?
Identifying when to transition objects between Standard and Standard IA.
How often is the S3 Analytics report updated?
Daily.
What can S3 Event Notifications trigger on?
ObjectCreated, ObjectRemoved, ObjectRestore, Replication.
How are S3 Event Notifications delivered?
Typically within seconds, sometimes longer.
What does EventBridge provide over standard S3 Events?
Advanced filtering, multiple destinations, reliable delivery.
What is the baseline request rate per prefix in S3?
3,500 PUT/POST/DELETE, 5,500 GET/HEAD requests per second.
What can be done to scale S3 requests further?
Use multiple prefixes.
When should Multi-Part Upload be used?
Recommended for files >100MB, required >5GB.
What does S3 Transfer Acceleration do?
Speeds up upload by routing through AWS edge locations.
What is S3 Byte-Range Fetch used for?
Parallel downloads, partial data access.
What are S3 Object Tags used for?
Permissions, analytics grouping.
Can S3 tags or metadata be searched directly?
No, must use external index like DynamoDB.
What prefix must user-defined metadata begin with?
x-amz-meta-.
What is SSE-S3?
Server-side encryption with S3-managed keys, AES-256, enabled by default.
What is SSE-KMS?
Server-side encryption using keys managed in AWS KMS; enables audit via CloudTrail.
What is SSE-C?
Server-side encryption with customer-provided keys; AWS does not store the key.
What is client-side encryption in S3?
Client encrypts/decrypts data outside AWS using own keys.
What header is used for SSE-S3?
x-amz-server-side-encryption: “AES256”.
What header is used for SSE-KMS?
x-amz-server-side-encryption: “aws:kms”.
What is a limitation of SSE-KMS?
Upload/download calls count toward KMS API quota.
What must be used with SSE-C?
HTTPS must be used; key sent in each request.
What is S3 encryption in transit?
SSL/TLS encryption via HTTPS endpoint.
How can encryption be enforced on a bucket?
Use bucket policy to deny unencrypted PUTs.
What is CORS in S3?
Allows cross-origin browser access using configured headers.
What does MFA Delete do?
Requires MFA to permanently delete versioned objects or suspend versioning.
When is MFA required for S3?
To delete object versions or suspend versioning.
What are S3 Access Logs?
Log all access requests to another S3 bucket.
What should you avoid with access logs?
Don’t log to the same bucket being monitored.
What is a pre-signed URL in S3?
Temporary URL for access; inherits permissions from creator.
How long can a pre-signed URL last?
Max 12 hours via console, 168 hours via CLI.
What are S3 Access Points?
Custom endpoints with policies for managing access to S3.
What is a VPC Origin Access Point?
S3 Access Point only accessible via VPC endpoint.
What is S3 Object Lambda?
Invoke Lambda to transform object before returning to caller.
Give a use case for Object Lambda.
Resize images dynamically for each requester.
Can S3 Access Points be used with VPCs?
Yes, through VPC Endpoints.
